Hi guys:
I've been trying to find information about how to encrypt a backup to tape (I'm using a couple of simple commands: tar, find | backup), I didn't find a real example of how to do that, just a couple of white papers and information about the methods that use the backup, policies, etc.
I don't know also if there's a free-cost solution and the solutions presented has the problem that I need an intermediate server \(for example using TKM Tivoli Key Manager\), so in a case of a real recovery I will need this server for restoration. I don't want a complex solution, since I only have one tape drive \(and one backup\), I just need to encrypt one tape and have a simple solution to restore it in another site \(without the fear that if the tape is stolen, somebody could restore\).
Does exists a solution like that? Any recommendations will be welcome.
Thanks!
Make sure you have the secret key stored securely and you are able to recover that by another method, i.e. not from the tape you just encrypted it on to.
Don't laugh, but I've been on a recovery test where we had to connect back to the live servers to get the key. Not great seeing as we were pretending that we'd had an incident meaning all our live servers were dead.
backup is one thing, but making sure you can restore is quite another - and rather useful to prove.
Thanks for your suggestions guys, I found this alternative once and works very well, the problem is that tar supports files under 2GB, and the filesystems backed up with restore are very, very big (some files more than 200GB) I did a test once with openssl and simply doesn't works.
Also since encryption add time to encrypt using another tool, maybe it's time to consider something native like IBM tape encryption solution or more.
Thanks anyway, I'd like to keep open this post and I'll be posting the advance.
You can try pax, the Posix tar.
It still has restrictions regarding the length of a file name.
E.g. dirpath <= 150 characters and filepath <= 100 characters.
But no restrictions on UIDs or file size.
A comparison:
Understood. But notice that in Neos method every piece has a certain, distinct role:
tar cvf - /myOracleDB | gzip -c | openssl enc -aes-256-cbc -salt -pass file:/.my_secret_key >/dev/rmt1
--------------------- ------- --------------------------------------------------------- ----------
| | | |
| | | |
| | | redirects
| | | this stream
| | | to tape
| | | instead of a
| | | file
| | further changes the data stream, now by
| | by encrypting it
| |
| changes
| the data
| stream by
| compressing
| it
|
creates a stream of
data (the backup)
From this it follows that you just have to change the component which doesn't do its job according to specification - in this case the tar - and everything else can be left the same. Take any program that:
can cope with 200GB-files
doesn't create a file but can be told to write to stdout (like tar f - )
and you are good to plug that in instead of tar . pax , as suggested by MadeInGermany is such a program, but you surely can find others too. This is why creating software in small, distinct pieces instead of one big kludge is such a great idea. If the process above would have been done in one complex program you can either take that or leave it completely. Now you just change the one component and are again ready to go.